limit browse right to share

I have a share named Labs and the share possesses only the share right: read.  We map a drive to this share. Inside this share I have 4 folders.   All users need access to folder1.  They only need to be able to see the other folders in which they have rights too.  rights are granted via a group membership.   So group2 need to be able to see folder1 and say folder2.  However, group2 does not need to be able to see folders3 or 4 or a listing of the contents.  How can I set this share up to where they can only see the files or folders within that I have given them explicit rights to?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You would want to grant/deny List Folder Advanced rights...See goes into detail on Advanced permissions.

If you can respond with the groups that need or don't need access, I can provide more specific help, or use this as a guide:

Folder1 'security' permissions would be Read/Write (or whatever desired for this one).

Folder2 security permissions would be Read & List Folder for Group2
Folder3 & 4 security permissions would be to deny List Folder for Group2.

Remember that the effective permisssions between sharing and security are the most restrictive between the two.
Effective permissions between group memberships are the least restrictive...
What I would do is set the the labs share to authenticated users/full control and the go to the security tab and use NTFS permissions to lock down the top folder and sub folders. If you do not have NTFS, you cannot do this. If you set the share permissions as I said and the set the NTFS to read on that folder, then now they have read only as the NTFS permission overrides the share permission due to being most restrictive.  Then you can go to each subfolder level, place the appropriate group in the DACL (Discretionary Access Control List) for that folder and give them the needed permission. This will get you close to what you are looking for.

Let's say labs is set to read only, folder1 has authenticated users/modify and folder 2 has group2 listed on its' DACL with modify. Folder 3 and folder 4 don't have group2  or autthenicated users on their DACLs. Members of group 2 cannot see INTO folder3 and folder 4 but have access into folder 1 & 2 due to being in the 2 groups mentioned. Now, they can see the other folders 3 & 4, but not their contents. MS does not make it easy to hide subfolder even when you do not have the rights to access them.  There is a way to do it with Active Directory, but that assumes your users only use AD to find the shares and no other means.   If they browse to it and bypass AD they still see folder they don't have access to.  

The only other way is to structure the folders so they are not all in the same folder and each have a separate share, but I find that too messy.
carchibaldAuthor Commented:
I ended up granting full share permissions to the root of the share.  Then blocking inherited rights on the folders I do not need every one to see.  Then used groups assignments to give users the rights to their folders.   They can still see the root. But when they try to access the contents of a folder they do not have group membership too, they get an access denied message.   This works for now but will use Access-based Enumeration on the next lab.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.